Xiaomi phones have made the news off and on in the last few months for their cheap, value for money phones and corporate moves. More recently, there were also reports that these popular devices also silently sent out user details to a remote server. That news came on the heels of other reports of smartphones being pre-installed with suspect apps.
We thought we'd take a quick look into this, so we got our hands on a brand new RedMi 1S:
We started with a "fresh out of the box" test, so no account setup was done or cloud service connection was allowed. Then we went through the following steps:
• Inserted SIM card • Connected to WiFi • Allowed the GPS location service • Added a new contact into the phonebook • Send and received an SMS and MMS message • Made and received a phone call
We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server:
The phone number of the contacts added to the phone book and also from SMS messages received was also forwarded.
Next we connected to and logged into Mi Cloud, the iCloud-like service from Xiaomi. Then we repeated the same test steps as before. This time, the IMSI details were sent to api.account.xiaomi.com, as well as the IMEI and phone number.
At this point, this was just a quick test to see if the behavior being reported can be confirmed. In response to the reports, Xiaomi itself has released a statement addressing potential privacy concerns (In Chinese on the company's Hong Kong Facebook page, with an English translation linked).